First you need to create the diffrent subdomains lists with the generate-subdomains-list.sh script. That gonna create four file:- subdomains-100.txt- subdomains-500.txt- subdomains-1000.txt- subdomains-10000.txtWith 100, 500, 1000 or 10000 entries on the file.Of course you use your own list.

This is the 'core' of the generate-subdomains-lists.sh script. We get the content of the following github page, we filter with few 'cut' the html code and we send elements in a file, here subdomains-10000.txt.

Nothing really complex here, we get two arguments, first the domain name, then the file.First the script check if we have two arguments, then if the file exist. After that, we use a simple host command with the concatenation a subdomain from the file and the domain name. If we can grep 'has address', the subdomain exist and we get the IP address, else the domain don't exist.

The dns-reverse-lookup script automatise DNS reverse enumeration if the DNS administrator configured PTR records[1] for the domain, that can help us to find more domain names that were missing during the forward lookup brute force phase, with the earlier script.

The dns-zone-transfert.sh script try to get a copy of the zone file from a master DNS server to a slave server. That can give to use external DNS namespace and internatl DNS namespace. Its not directly a network breach, however it give to use juicy informations that can facilitate a pentest.

So, it's a very basic tool that you can be use to automate subdomain searching.If you have any question or any suggestions for improvements feel free to live a comment with your suggestion or send a pull request.